[Owasp-leaders] 2016 Developer Survey Results

Mark Miller mark.miller at owasp.org
Wed Mar 23 14:55:33 UTC 2016


Attending, participating and supporting other conferences is a cornerstone
of community activity, not just to get our message out, but to participate
in a global ecosystem of DevSecOps.

Regarding participation in other conferences, I can confirm when I produced
the DevOps track at RSA Conference 2016 three weeks ago, we had 600+ people
attend the full day of sessions. These were security people, at a security
conference, interested in what was going on outside of their main area of
expertise.

Mark

On Tue, Mar 22, 2016 at 5:06 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> >>That's why I think heading out to the large cons is a good start.
> Yes, I believe so too, however the strategy must not be just to be there
> but :
>
>    - Do surveys to research more how to engage these devs
>    - Just giving a 'talk' does not mean you are really engaging the
>    developer audience
>
> Effective ways to reach these audience.
>
> We need to put the helmet of a developers in our heads. Not just  *look*
> from it from the 'security' perspective
>
> We 'devs' hate security(many I have speak with including me). It makes our
> lives difficult, we only want to focus and get the work done at the
> functional part with all the pressure there is  to deliver and produce
> software. From the business pov people(aka Sales+Managers) want to deliver
> software that works and they also tend to forget 'security' as part of the
> offer (aka quotation and price).
>
> Only when they hear there is a 'pen tester' coming, everyone starts biting
> their nails 😱
>
> Or when they hear ' the application has been hacked'😵 (which also
> happened to me. So you engage most of the time when is to late) Then you
> get paranoid. then you only think about security about this traumatic
> experience. So traumatic to me that now I'm into Offensive security
> certification, and all kind off 'security mixed' things...I have been
> 'converted' 😁
>
> My experience is , developers want easy solutions and not people preaching
> to us that is all our blame ... Not preaching to us security especially to
> those that see this as extra work...
>
> What are other developers experience with security? I would love to know
>
>
>
>
>
> On Tue, Mar 22, 2016 at 4:46 PM, Bill Sempf <bill at pointweb.net> wrote:
>
>>
>>
>> On Tue, Mar 22, 2016 at 4:36 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>>
>>>
>>> It will be interesting to know *how* to engage properly developers with
>>> zero background in security.
>>>
>>>
>>>
>> I can't speak for everyone on the initiative team, but this is exactly
>> why  I am interested in this.
>>
>> Since 2010 I have made "bridging the gap" a core focus of my community
>> work. I give developer talks at security cons and security talks at
>> developer cons.  Bringing the official OWASP banner to developer cons and
>> talking to current devs about what they really need from us has brought be
>> personally a lot of targeted focus in my content creation.
>>
>> That's why I think heading out to the large cons is a good start.
>>
>> S
>>
>>
>>>
>>> On Tue, Mar 22, 2016 at 4:26 PM, Noreen Whysel <noreen.whysel at owasp.org>
>>> wrote:
>>>
>>>> I think it is pretty clear. Find out what kinds of developer events
>>>> people are going to, have a presence at these events, learn how they are
>>>> reaching, teaching and communicating with the developer community, Then
>>>> "design an outreach program" part takes into consideration what we learned.
>>>> I think the last part is what Johanna is interested in and can be developed
>>>> at a local chapter level or via virtual trainings. But we want to do a
>>>> little research first to find out how to engage developers and where our
>>>> message fits.
>>>>
>>>> Noreen Whysel
>>>> Community Manager
>>>> OWASP Foundation
>>>>
>>>> On Tue, Mar 22, 2016 at 4:20 PM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>>  Just "being there" is a great place to start.
>>>>>
>>>>> Hi Bill, I believe this already happens. With just being there in a
>>>>> form of a booth presence does always help. Thats actually how I got
>>>>> involved with owasp, but this is an 'old' strategy, nothing new and only
>>>>> has impact on those developers that assist to conferences.
>>>>>
>>>>> What about all those thousands of devs that cannot pay these expensive
>>>>> conferences, living in countries like me?
>>>>>
>>>>> I support Matt's idea and I just think that it needs to be promoted so
>>>>> we can design this outreach, not just as visiting conferences
>>>>>
>>>>> cheers
>>>>>
>>>>> Johanna
>>>>>
>>>>> On Tue, Mar 22, 2016 at 4:16 PM, Bill Sempf <bill at pointweb.net> wrote:
>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Mar 22, 2016 at 4:04 PM, johanna curiel curiel <
>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> We do not reach this community just by assisting to these
>>>>>>> conferences.
>>>>>>>
>>>>>>>
>>>>>> I disagree comprehensively with this statement. Through participation
>>>>>> in developer conferences like CodeMash and Stirtrek, I have seen
>>>>>> quantifiable increase in the 'reach' of security.  All of the OWASP
>>>>>> chapters in the area have seen significant increases in growth, there have
>>>>>> been far more security -focused talks at user groups, and there has been a
>>>>>> significant increase in requests for security expertise from the area
>>>>>> consulting firms.  Just "being there" is a great place to start.
>>>>>>
>>>>>> That said, if something significant is learned while we are just
>>>>>> being there, and it leads to a larger strategy, so be it.  Personally, I'm
>>>>>> pleased to see some action on a front of attack, rather than constant
>>>>>> discussion.  It's a low risk activity with a potentially high reward.
>>>>>>
>>>>>> S
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Johanna Curiel
>>>>> OWASP Volunteer
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>
>>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
*Mark Miller, Senior Storyteller*
*Curator and Founder, Trusted Software Alliance*

*Host and Executive Producer, OWASP 24/7 Podcast ChannelCommunity Advocate,
Sonatype*

*Developers and Application Security: Who is Responsible?*
<https://www.surveymonkey.com/s/Developers_and_AppSec>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160323/3234afe8/attachment.html>


More information about the OWASP-Leaders mailing list